By David Fagan and Sumon Dantiki Recently several media outlets reported that the New York State Department of Financial Services (“NYDFS”) sent a letter to many of the nation’s banks, regarding the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.” The letter requested financial institutions to… Continue Reading

By Ani Gevorkian On Monday, the Consumer Financial Protection Bureau (CFPB) finalized a rule that promotes more effective privacy disclosures and saves the financial services industry around $17 million dollars. The new rule permits financial institutions that restrict data-sharing to post their annual privacy notices online rather than delivering them to customers individually. The rule will… Continue Reading

Last Friday, the FTC announced an agenda for its upcoming workshop, “Big Data: A Tool for Inclusion or Exclusion?” which will take place on Monday, Sept. 15, starting at 8:00 a.m. As we’ve previously reported, the workshop will build on recent efforts by the FTC and other government agencies to understand how new technologies affect… Continue Reading

Last week, the Securities and Exchange Commission announced that it will conduct more than 50 cybersecurity examinations to identify risks and ensure that broker-dealers and investment advisers are adequately protecting customer information. Below are some key takeaways from the Risk Alert that the SEC’s Office of Compliance Inspections and Examinations released with its announcement:

By Hee-Eun Kim and Monika Kuschewsky In January 2014, a massive data leak of some 104 million credit card accounts shocked South Korea. The number of affected accounts was twice the number of the population of South Korea’s. The incident arose when a temporary employee of a personal credit rating agency that manages personal financial… Continue Reading

Data security continues to be a hot issue on Capitol Hill, and just yesterday Attorney General Eric Holder urged Congress to create a “strong, national standard” for quickly reporting data breaches to consumers. Democratic and Republican senators have been busy drafting legislation that would establish national requirements for data security and breach notice. The following… Continue Reading

Routine SEC examinations of investment advisers and investment companies this year will include scrutiny of these entities’ cybersecurity policies, an SEC official told attendees Thursday at a national agency-hosted compliance seminar. The SEC’s Regulation S-P, which implements the federal Gramm-Leach-Bliley Act, requires brokers, dealers, investment companies, and registered investment advisers to “adopt policies and procedures… Continue Reading

At a co-hosted event last week, Covington & Burling LLP and The George Washington University’s Cybersecurity Initiative released an issue brief on the growing threats of cyberespionage and trade secret theft and responses to address these threats. The paper provides an overview of existing laws and policy reforms being considered in the U.S. and European… Continue Reading

Earlier this month, the Consumer Financial Protection Bureau (CFPB) posted its semi-annual update of its rulemaking agenda for the coming 12-month regulatory cycle, including recently-completed rulemakings. The rulemaking agenda is part of a broader initiative led by the Office of Management and Budget (OMB) to publish a Unified Agenda of federal regulatory and deregulatory actions across… Continue Reading

Last week, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) published in the Federal Register a joint rule requiring entities regulated by the agencies to adopt programs to detect and prevent identity theft. The rule is referred to as the “red flags rule” and applies to certain broker-dealers, mutual funds, investment advisers, futures… Continue Reading

On March 27, 2013, the Federal Reserve released a report on consumers’ use of mobile banking and mobile payments. The report follows a similar report issued by the Federal Reserve last year. The report found that use of mobile banking has increased significantly in the past year while use of mobile payments has increased as well. … Continue Reading

Earlier this week, the House of Representatives passed H.R. 749, the Eliminate Privacy Notice Confusion Act. The bill is sponsored by Rep. Blaine Leutkemeyer (R-MO) and Rep. Brad Sherman (D-CA). An earlier version of the bill passed the House in December but was never taken up by the Senate. We previously covered similar legislation introduced by… Continue Reading

This week, the Federal Trade Commission released a study of the U.S. credit reporting industry and credit report accuracy. The study found that five percent of consumers had errors on one of their three nationwide credit reports that could lead them to pay more for financial products. The study is required under section 319 of the… Continue Reading

In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of critical infrastructure. President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why… Continue Reading

On January 22, 2013, the Federal Financial Institutions Examination Council proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by depository institutions. The proposed guidance would not impose additional compliance obligations on institutions. Instead, the guidance is intended to help financial institutions understand potential… Continue Reading

In its most recent issue of the Supervisory Insights newsletter, the Federal Deposit Insurance Corporation (FDIC) describes mobile payment technologies, the risks they pose to depository institutions, and the regulatory framework applicable to such technologies. The FDIC notes the widespread use of smartphones as a payment technology and the increasing availability of point-of-sale terminals equipped… Continue Reading

On Friday, November 30, the Federal Trade Commission (FTC) issued an Interim Final Rule to amend its Red Flags Rule, which requires certain financial institutions and creditors to establish programs to detect, prevent and mitigate identity theft in connection with consumer accounts. The Interim Final Rule narrows the definition of “creditor” in response to legislation… Continue Reading

Last week, the Consumer Financial Protection Bureau (CFPB) announced that it had established a process for assisting consumers with credit reporting complaints. The CFPB previously had implemented similar processes for complaints relating to credit cards, mortgages, bank accounts and services, private student loans, vehicle, and other consumer loans. The complaint process is intended to complement the… Continue Reading

Last week, the Consumer Financial Protection Bureau (CFPB) released a study comparing credit scores sold to creditors and those sold to consumers. The study found that approximately 1 in 5 consumers would, upon purchasing their credit score from a consumer reporting agency, receive a different credit score than the score provided to creditors for use in… Continue Reading

In an interview with Information Security Media Group, William Henley, Associate Director of the Federal Deposit Insurance Corporation’s (FDIC) Technology Supervision Branch, discussed the status of the banking industry’s implementation of FFIEC authentication guidance released in July 2011. Henley generally said that the industry was working towards compliance and offered that FDIC examiners at this stage… Continue Reading

An employment background screening company will pay a $2.6 million civil penalty to settle Federal Trade Commission charges under the Fair Credit Reporting Act. The FTC alleged that HireRight Solutions, Inc., which compiles background reports to assist employers in making hiring and other employment-related decisions, is a consumer reporting agency since its reports “bear on… Continue Reading

The Consumer Financial Protection Bureau (CFPB) has issued a final rule to implement its authority under section 1024 of Dodd-Frank to subject “larger participants” in the consumer reporting market to CFPB supervision. The rule will have significant consequences for companies in the consumer reporting industry. The final rule follows a proposed rule issued in February… Continue Reading

A bank that required a commercial customer to answer “challenge questions” for virtually all online payments and that did not implement other common security measures failed to provide a commercially reasonable level of security, the U.S. Court of Appeals for the First Circuit ruled this week. The case arose when unknown hackers were able to… Continue Reading